Is DocuSign HIPAA Compliant?

Can Docusign be used with electronic protected health information (ePHI) by healthcare organizations without violating HIPAA Rules? Is DocuSign compliant with HIPAA?

DocuSign is a provider that offers electronic signature and transaction management services. DocuSign acquires signatures on documents like contracts on behalf of a company that sent them to confirm that they were read and understood and that the conditions and terms were accepted.

Using eSignature services in the healthcare industry helps lessen the time spent on doing administrative tasks. eSignature may be used on service level contracts, business associate agreements, patient authorization forms, credentialing forms and other documents. A lot of business associates use esignatures when signing their BAAs.

But before using eSignature service on documents that contain ePHI, there must be a business associate agreement between the healthcare organization and the service provider, as the HIPAA considers the service provider as a business associate.

Is DocuSign HIPAA Compliant?

DocuSign can become HIPAA compliant if it is willing to have a BAA with a HIPAA-covered entity. As per the website of DocuSign, it is willing to sign a BAA and has made some BAAs with healthcare companies and life science clients.

DocuSign also states that the company does not access ePHI shared with it as a service provider. All documents going through this service are properly secured. DocuSign says it fulfills its responsibilities regarding ePHI and that it is totally compliant with HIPAA privacy and security requirements and satisfies the requirements of HHS for digital signatures.

Covered entities must have a signed BAA first before using DocuSign with any ePHI, so that DocuSign is considered as HIPAA compliant. DocuSign users can only get a BAA if they sign up for an Enterprise account.